Text Messages and HIPAA Compliance

How to Remain HIPAA Compliant when Text Messaging

Sending text messages and HIPAA compliance became an issue for a number of healthcare organizations when, in 2013, the Final Omnibus Rule enacted specific regulations within the Health Insurance Portability and Accountability Act (HIPAA).

Because of the vast number of medical professionals using their personal mobile devices to access and transmit protected health information (PHI), healthcare organizations had to introduce systems and procedures to facilitate HIPAA compliant text messaging.

The penalties for not complying with the HIPAA regulations for text messaging are substantial; with fines of up to $50,000 for each violation of the Act when a breach of PHI occurs and a maximum of $1.5 million for repeat offenses.

Complying with the HIPAA Regulations for Text Messaging

Complying with the HIPAA regulations for text messaging requires that certain physical, technical and administrative conditions are fulfilled in order to ensure the integrity of PHI. The list below is a selection of the conditions that apply to text messages for HIPAA compliance:

Physical Conditions

  • PHI must be encrypted and maintained on a secure server with access to the data on the secure server only being allowed to authorized users, who must be allocated unique names or numbers to confirm their identity.
  • Security protocols must be implemented to ensure that PHI cannot be destroyed, copied onto an external hard drive (for example a desktop computer or mobile device), or improperly altered.
  • Any risk of unauthorized physical access to the server(s) on which the encrypted PHI is stored – including hacking – must be identified and eliminated.

Technical Conditions

  • Messaging systems introduced for complying with the HIPAA regulations for text messaging must be able to remotely delete text messages should they be sent to the wrong person or in the event that a mobile device is lost, stolen, or otherwise misplaced.
  • Even though PHI is encrypted, messaging systems must be secured against the unauthorized access or interception of messages containing PHI that are sent or received over public Wi-Fi or on open cell phone networks.
  • The system should also be capable of producing audit logs in order that system administrators can monitor the system´s use by authorized users and ensure HIPAA compliant text messaging.

Administrative Conditions

  • System administrators must develop policies for text messages and HIPAA compliance, and then ensure that the policies are being adhered to by authorized users.
  • Authorized users must be informed of policies relating to HIPAA compliant text messaging and any sanctions that may be enforced should these policies be violated.
  • Frequent reviews should be conducted in order to amend policies introduced for complying with the HIPAA regulations for text messaging in the event of changes in work practices, revised HIPAA legislation or technological advances.

Who do the Rules for Text Messages and HIPAA Compliance Apply To?

In addition to enacting specific regulations, the Final Omnibus Rule extended the scope of the Act. In addition to employer, health insurance providers, health insurance clearing houses and medical professionals, the rules for text messages and HIPAA compliance now apply to associates, subcontractors or any third-party service provider who has access to PHI.

This means that if an insurance provider wants details of the treatment a patient has received in hospital, it also has to be an authorized user on a secure messaging system in order to retrieve that information. Short-term associates, subcontractors and third-party service providers do not necessarily have to become authorized users, provided they sign a contract which requires them to:

  • Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Return or destroy all PHI they have received or accessed at the termination of the contract

The TigerText Secure Text Messaging Solution

TigerText´s secure text messaging solution integrates seamlessly with most existing communication systems by allowing authorized users access to a secure enclosed network to send and receive PHI. The “solution” meets all the physical and technical conditions required for HIPAA compliant text messaging, produces audit logs for administrators to monitor usage by authorized users and automatically generates read receipts when messages have been opened to eliminate the need for follow-up calls.

The secure text messaging solution has been specifically developed by TigerText to operate in much the same way as SMS messaging, so that authorized users will have no difficulty in adhering to policies that are introduced for text messages and HIPAA compliance and can start using the system with minimal instruction.

The Benefits of HIPAA Compliant Text Messaging

Case studies have shown that complying with the HIPAA regulations for text messaging has resulted in numerous benefits. With the possibility for doctors to receive PHI on the go with secure text messaging, quicker delivery of lab results by secure text messaging, healthcare organizations have seen an increase in staff efficiency and a decrease in costs.

The Houston Fertility Institute noted 80% less time being wasted in phone tag when a TigerText secure text messaging solution with multi-platform functionality was introduced, and the El Rio Community Health Center in Arizona saw a 22% increase in staff efficiency when a TigerText secure text messaging system was implemented as a solution to the existing communication workflows.

Last year the Ponemon Institute conducted research on patient discharges and found that waiting times were cut in half when medical facilities were complying with the HIPAA regulations for text messaging. The Institute calculated that the average saving on staff costs was equivalent to $557,253 each year for each medical facility.